Article Details

Beware of fake SonicWall VPN app that steals users' credentials. A good reminder not to download apps from non-vendor sites. Unknown miscreants are distributing a fake SonicWall app to steal users' VPN credentials. In a Monday threat intel alert, the firewall and VPN slinger said it and Microsoft spotted the info-stealing campaign, in which would-be thieves distributed a "hacked and modified version of SonicWall's SSL VPN NetExtender application that closely resembles the official SonicWall NetExtender software." The attackers distributed a Trojanized installer of SonicWall's legitimate NetExtender 10.3.2.27, digitally signed with a fake "CITYLIGHT MEDIA PRIVATE LIMITED" certificate, via spoofed download sites. Users would visit the spoofed sites, and then download what they believed to be the most recent version of the SonicWall VPN app. But in reality, they got a fake NetExtender that, when executed, stole all their information related to the VPN configuration — username, password, domain, and more — and sent it to an attacker-controlled remote server. SonicWall did not immediately respond to The Register's inquiries about the campaign's perpetrators, its scope, or the number of users affected. But we do know that everyone from suspected Chinese spies to ransomware criminals loves to break into SonicWall devices. And, assuming they were successful with this credential-stealing scam, they wouldn't even have to break in - they'd simply log in using real names and passwords. The info-stealing application contains two modified files, both of which are part of the NetExtender installer, to execute the app and send stolen information to a remote server: The real NeService.exe file contains a function that validates digital certificates and, once they are confirmed to be legitimate, executes the rest of the VPN's components. Otherwise, it displays a validation-failed message and quits. In this case, however, the miscreants modified the file to bypass the validation check so the installer would execute despite the invalid digital signature. Plus, the crooks modified NetExtender.exe with malicious code to send VPN configuration info to a remote server with the IP address 132.196.198.163 over port 8080.  While SonicWall and Microsoft took down the phony websites and had the installer's digital certificate revoked, it doesn't take much effort to spin up new domains. So it's a good reminder not to download any apps, SonicWall or otherwise, from a non-trusted source. Going directly to the vendor's website is going to be your best and safest bet.